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DECISION ON APPEAL 

STATEMENT OF THE CASE 
This is an appeal under 35 U.S.C. § 134(a) from the Examiner's 
rejection of claims 1-36. We have jurisdiction under 35 U.S.C. § 6(b). 
We affirm. 

Invention 

Appellants' invention relates to characterization techniques for 
thwarting network-related denial of service attacks. (Spec. 1, 11. 2-4.) 
Attack characterization 139 (Fig. 12) is based on comparison of historical 
histogram data with near-real-time histogram data for one or several 
parameters. (Id. at 25, 11. 23-28.) 

Representative Claim 

7. A method for thwarting denial of service attacks on a data center, 
the method comprising: 

producing a histogram of received network traffic for at least one 
parameter of network packets; and 

characterizing an attack based on comparison of a historical histogram 
with the produced histogram data for one or more parameters. 

Prior Art 

Wetherall US 2002/0107960 Aug. 8, 2002 

Botros US 6,769,066 B 1 July 27 2004 
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Examiner's Rejections/Claims 

Claims 7, 9-14, 19-23, and 26 stand rejected under 35 U.S.C. § 102(e) 
as being anticipated by Botros. 

Claims 1-6, 8, 15-18, 24, 25, and 27-36 stand rejected under 35 U.S.C. 
§ 103(a) as being unpatentable over Botros and Wetherall.^ 

Claims 37-40 are indicated as being allowable. (Ans. 3.) 

Claim Groupings 

Based on Appellants' arguments in the Appeal Brief, we will select a 
representative claim for each group submitted by Appellants, to the extent 
that groups are argued separately. See 37 C.F.R. § 41.36(c)(l)(vii). 

FINDINGS OF FACT 

Botros 

1 . Botros describes a computer network intrusion detection 
program comprising a method and system for training a model using 
historical and statistical data in conjunction with hypothetical anomalous 
behavior data for a computer network. Col. 5, 11. 35-38. 

2. Using historical data, a feature generator generates a features 
list to take into account changing behavior of a user and the user's peers. 
Id., 11. 38-42. 



^ The Examiner's initial listing of the claims rejected under § 103(a) does 
not include claims 28 and 29, but the claims are addressed in the body of the 
rejection. 
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Feature Generator 

3. User activity data files 12 (Fig. 2) contain raw user data drawn 
from, for example, operating system files, operations on programs or files, 
and badge-in data. Col. 5, 11. 44-51; col. 6, 11. 37-42. 

4. Historical data files 102 (Fig. 2) contain data relating to prior 
activity performed by a user and cumulative data of activities performed by 
the peer group in a particular time frame. Col. 5, 11. 51-54. 

5. User activity files 12 and historical data 102 serve as inputs to 
feature generator 104 (Fig. 2), which in turn outputs a features list 106. The 
features can be classified into categories, such as violations, user activities, 
computer loads, and network loads. Col. 5, 1. 62 - col. 6, 1. 4. 

Neural Network Training 

6. Figure 10 is a histogram graph showing the distribution of 
normal feature values for a selected feature to define normal patterns. Col. 
11,11. 36-51. 

7. The data for the normal feature value (Fig. 10) may come from 
all users of a computer system over a given period. The data is used to train 
model 108 (Fig. 2). Col. 10, 11. 17-39. 

8. Figure 1 1 is a histogram graph for anomalous data, generated 
by a modeler or systems analyst based on a priori knowledge. The 
histogram of Figure 1 1 shows the distribution of anomalous feature values 
for a selected feature for all users over a period of time. The graph may 
represent, for example, a higher than expected number of attempted logins 
over a specific period. Col. 11, 1. 52 - col. 12, 1. 5; col. 10, 11. 54-65. 
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9. Feature values representative of anomalous data are generated 
by random sampling of anomalous histograms (e.g., Fig. 11). Col. 12, 11. 15- 
17; col. 10, 1. 66 -col. 11,1. 12. 

10. Normal and anomalous feature data for a single feature are 
input to selector 1306 (Fig. 13), for entry into neural network training 
algorithm 1308 and model 108. Col. 12, 11. 25-51. See also flowchart Fig. 
14; col. 12, 1. 52 et seq. 

1 1 . The trained model is used for recognizing potential intrusions. 
Col. 6, 11. 9-21. 

PRINCIPLES OF LAW 

Claim Interpretation 

The claims measure the invention. See SRI Int'l v. Matsushita Elec. 
Corp., 775 F.2d 1 107, 1 121 (Fed. Cir. 1985) (en banc). Our reviewing court 
has repeatedly warned against confining the claims to specific embodiments 
described in the specification. Phillips v. AWH Corp., 415 F.3d 1303, 1323 
(Fed. Cir. 2005) (en banc). During prosecution before the USPTO, claims 
are to be given their broadest reasonable interpretation, and the scope of a 
claim cannot be narrowed by reading disclosed limitations into the claim. 
See In re Morris, 127 F.3d 1048, 1054 (Fed. Cir. 1997); In re Zletz, 893 F.2d 
319, 321 (Fed. Cir. 1989); In re Prater, 415 F.2d 1393, 1404-05 (CCPA 
1969). "An essential purpose of patent examination is to fashion claims that 
are precise, clear, correct, and unambiguous. Only in this way can 
uncertainties of claim scope be removed, as much as possible, during the 
administrative process." In re Zletz, 893 F.2d at 322. 
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The content of nonfunctional descriptive material is not entitled to 
weight in the patentability analysis. See In re Lowry, 32 F.3d 1579, 1583 
(Fed. Cir. 1994) ("Lowry does not claim merely the information content of a 
memory. . . . Nor does he seek to patent the content of information resident 
in a database."). See also Ex parte Nehls, 88 USPQ2d 1883, 1887-90 (BPAI 
2008); Ex parte Curry, 84 USPQ2d 1272 (BPAI 2005) (nonprecedential) 
(Fed. Cir. Appeal No. 2006-1003, ajf'd Rule 36 June 12, 2006); Manual of 
Patent Examining Procedure (MPEP) § 2106.01. 

Anticipation 

Anticipation requires the presence in a single prior art reference 
disclosure of each and every element of the claimed invention, arranged as 
in the claim. Lindemann Maschinenfabrik GmbH v. American Hoist & 
Derrick Co., 730 F.2d 1452, 1458 (Fed. Cir. 1984). 

Obviousness 

The question of obviousness is resolved on the basis of underlying 
factual determinations including: (1) the scope and content of the prior art, 

(2) any differences between the claimed subject matter and the prior art, and 

(3) the level of skill in the art. Graham v. John Deere Co., 383 U.S. 1, 17 
(1966). "The combination of familiar elements according to known methods 
is likely to be obvious when it does no more than yield predictable results." 
KSR Int'l Co. V. Teleflex, Inc., 550 U.S. 398, 416 (2007). 
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ANALYSIS 

/. Summary of Decision 
For the reasons that follow, we are not persuaded that any claim has 
been rejected in error. We therefore sustain the rejection of claims 7, 9-14, 
19-23, and 26 under 35 U.S.C. § 102(e) as being anticipated by Botros and 
the rejection of claims 1-6, 8, 15-18, 24, 25, and 27-36 under 35 U.S.C. § 
103(a) as being unpatentable over Botros and Wetherall. 

//. Section 102 rejection 
Claim 7 

Appellants admit that Botros discloses a histogram, but contend that 
the reference fails to disclose producing a histogram of received network 
traffic. Appellants submit that in Botros the histogram is derived from "user 
logs." (App. Br. 11.) Appellants also contend that Botros does not describe 
"characterizing an attack based on comparison of a historical histogram with 
the produced histogram data for one or more parameters," because Botros 
does not use the histograms to characterize an attack. According to 
Appellants, Botros uses a neural network that is trained by histograms, rather 
than comparing a historical histogram with a produced histogram. {Id. at 12- 
13.) 

The Examiner finds that Botros discloses using computer and network 
loads in generating histograms, rather than merely "user logs." (Ans. 9; FF 
5.) The Examiner further finds that the Botros neural network 
"characterizes" an attack as claimed. (Ans. 10-11; FF 10-11.) The 
Examiner also finds that Botros describes comparison of historical and 
produced histogram data, consistent with claim 7. (Ans. 10; FF 6-11.) 
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Appellants change position in the Reply Brief and submit that the 

claimed histogram is "at the level of the network packets and for a parameter 
of the network packets," and further that "Botros does not disclose any 
mechanism to collect data on a parameter of network packets." (Reply Br. 
2.) 

Claim 7, however, does not recite or require any "mechanism to 
collect data on a parameter of network packets." The steps of claim 7 are 
directed to "producing a histogram" and "characterizing an attack." The 
claim does not specify any source for the data needed for "producing a 
histogram," nor does it specify any source for the data needed for 
comparison of "a historical histogram" with the "produced histogram data 
for one or more parameters." 

We are not persuaded of error in the Examiner's finding of 
anticipation with respect to claim 7, in view of the broad scope of the terms 
Appellants have chosen in setting forth the invention. 

Moreover, Appellants' reliance on what the histograms are to 
represent relate to the content of nonfunctional descriptive material, not 
entitled to weight in the patentability analysis. What the particular data is 
deemed to represent does not alter how the process steps are to be performed 
to achieve the utility of the invention. Rather, the invention, as broadly 
claimed, manipulates data that, at best, is mere data that might reside in a 
database. Botros discloses producing a histogram for a parameter and 
reaching a conclusion (characterizing) an attack based on comparison of two 
histograms, which is all that claim 7 requires. 
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Claim 9 

Claim 9 recites that the historical histogram "is based on time periods 
that range from 1 hour to 1 week or more." 

In Botros, historical data is typically compiled from activities over the 
course of a particular day (col. 7, 11. 11-23) and may account for periods in 
the range of four to sixth months (col. 10, 11. 29-33), which we find to be 
reasonably within the range of claimed "time periods." Moreover, the 
"historical histogram" to the extent claimed represents nonfunctional 
descriptive material, as it is merely a plotting of points (as shown by Botros 
in Figure 10). 

Claim 11 

Appellants contend that the Examiner errs in finding that material at 

column 9, lines 24 through 50 of Botros anticipates claim 1 1 . That section 
of the reference describes computing deviation by a user from normal peer 
activity by subtracting the user's current activity from the peer historical 
mean and dividing the result by the peer historical standard deviation (col. 9, 
11. 35-41). Appellants argue "[tjhere is no mention in Botros that the 
histograms are used in subtracting." (Reply Br. 3.) 

Botros discloses that feature values may be plotted as histograms 
(e.g., Figs. 10-11; FF 6-8). We are not persuaded that computing difference 
in "histograms" is any different from the operation described by Botros, 
even if the reference does not "mention" histograms in the subtracting. For 
a prior art reference to anticipate in terms of 35 U.S.C. § 102, every element 
of the claimed invention must be identically shown in a single reference. 
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However, this is not an "ipsissimis verbis" test. In re Bond, 910 F.2d 831, 
832 (Fed. Cir. 1990). 

Claim 19 

Claim 19 recites wherein the method of claim 7 "is executed on a data 
collector." 

We agree with the Examiner that a computer is a "data collector," for 
all that claim 19 requires. The claim is thus anticipated by Botros. 

Claim 22 

Claim 22 recites the monitoring "device" of claim 21, further 
comprising a "process." The "process" that is part of the "device" is "to 
correlate suspicious parameters to reduce blocking of legitimate traffic." 

The Examiner finds that the description in Botros (col. 12, 1. 52 - col. 
13, 1. 3) of setting probabiUstic parameters to reduce "false positives" meets 
the terms of the claim. (Ans. 12.) 

Appellants submit that Botros "does not describe any correlation 
process." (Reply Br. 3.) 

However, the "process" as claimed does not specify with what the 
"suspicious parameters" may be correlated. The '"suspicious parameters" 
could be correlated with normal, expected parameters to reduce "false 
positives" and thus reduce blocking of legitimate traffic. Appellants' 
remarks do not appear conmiensurate with the scope of the invention 
claimed. 
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Appellants have not provided a convincing explanation as to why the 
Examiner's finding of anticipation with respect to claim 22 should be 
considered erroneous. 

///. Section 103 Rejection 
Claim 1 

The Examiner finds that Botros teaches all of claim 1 except for the 
last-named "process" for filtering of network packets based on the 
characterization "process." (Ans. 5-6.) 

Appellants' response is based on denials ~ similar to those in the 
response to the rejection of claim 7 - that Botros teaches something more 
than "user logs." We find the arguments unpersuasive of error. 

Appellants also contend there "is no suggestion or motivation to 
combine Botros with Wetherall" because the modification "would not serve 
any purpose in Botros, since Botros does not specifically deal with the 
problem addressed by Wetherall and filtering spoofed source addresses . . . 
would not have any effect on the user logs disclosed by Botros at least 
because the user logs of Botros are not disclosed as being dependent on the 
source address." (App. Br. 17-18.) 

Claim 1, however, merely recites a "process" for filtering of network 
packets based on the characterization "process," which is described by 
Botros. Wetherall teaches a "process" for filtering of network packets (e.g., 
Fig. 2, elements 210, 212). We agree with the Examiner that the combined 
teachings would have suggested filtering of network packets as a response to 
attacks, whether a "denial of service" attack described by Wetherall (S[ \ 
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[0006] - [0007]) or a computer network intrusion described by Botros (col. 
5, 11. 35-42). 

Claim 2 

Claim 2 recites that in the "characterization process, suspicious 
parameter values are represented by a bit vector," with "1" corresponding to 
a "bad" value and "0" corresponding to a "good" value. 

The claim does not require anything of the "suspicious parameter 
values," other than being "represented" by a bit vector with bits 
"corresponding" to what the bits may be deemed to represent. How unused 
"values" may be represented by bits does not alter how the process steps are 
to be performed to achieve the utility of the invention. Both the "suspicious 
parameter values" and the string of bits constituting the "bit vector" 
represent mere data ~ nonfunctional descriptive material - that is not 
entitled to weight in the patentability analysis. We agree with the Examiner 
that data (comprised of bits) in a computer as described by Botros is 
sufficient to meet the terms of claim 2. 

Claim 6 

Claim 6 depends from claim 1, adding "wherein pai'ameters include" 
at least one of a list that includes "IP source address." The "parameters" of 
claim 6 are not necessarily related to the single "parameter" of base claim 1, 
according to the language of the claim. 

In any event. Appellants argue as if claim 6 somehow further limits 
the single "parameter" of claim 1. Appellants contend that "claim 6 uses the 
source address to determine if the values of source address exceed normal 
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values to indicate an attack, Wetherall, in contrast does not classify the 
attack based on the source IP Address, but instead uses a histogram of 
source address as a basis for filtering of the packets." (Reply Br. 6.) 

Wetherall teaches determining whether a source address is being used 
for an attack by comparing the observed S/D/M/T (spatial/destination 
/migration/timing) profile to that of a reference S/D/M/T profile. Wetherall 
f f [0028]; [0036] - [0040]. Even if the "parameters" of claim 6 were to 
relate to the single "parameter" of claim 1 , the base claim recites 
determining if plural "values" of the single parameter exceed normal plural 
"values" for the parameter. We agree with the Examiner that Wetherall at 
least suggests determining if "values" of a single parameter (IP source 
address) exceed normal values for the parameter, as the observed S/D/M/T 
profile may deviate in values (greater or lesser) from those of the reference 
S/D/M/T profile and thus indicate an attack. Appellants' arguments are not 
commensurate in scope with claim 6, even assuming that the claim further 
limits the single "parameter" of claim 1. 

Claim 8 

Claim 8 recites filtering network packets sent to the data center "based 
on whether or not a value of the attribute represented in the cuiTent 
histogram is within a normal range of values for the attribute, as determined 
by comparison to the historical histogram." "[T]he attribute" is not defined 
in claim 8 or in base claim 7, and further lacks proper antecedent basis in the 
claim. 

Appellants argue that "Botros does not suggest a bit vector or that 
suspicious parameter values are represented by a bit vector" (App. Br. 20; 
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Reply Br. 5-6), which does not persuade us of error in the rejection of claim 
8. 

Claim 15 

We refer to the Answer for the Examiner's findings with respect to 
claim 15. Appellants' arguments are based on the nonfunctional descriptive 
material comprising a "master correlation vector" which is put to no use, 
according to the claim. We are not persuaded of error in the rejection of 
claim 15. 

Claim 32 

Appellants' remarks in defense of claim 32 repeat the supposed 
deficiencies in the combination of Botros and Wetherall, which we again 
find unpersuasive of error. 

Claim 33 

Claim 33 recites communicating undefined "statistics" collected in the 
gateway to a control center, which does nothing with the "statistics." 

Wetherall teaches that the director 102 (Fig. 1) may be embodied as 
several directors, with one serving as a master and the others serving as 
slaves. Wethheral ff [0027]; [0033]. Wetherall at least suggests 
communicating undefined "statistics" collected in a gateway (slave director) 
to a control center (master). 
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DECISION 

The rejection of claims 7, 9-14, 19-23, and 26 under 35 U.S.C. § 
102(e) as being anticipated by Botros is affirmed. 

The rejection of claims 1-6, 8, 15-18, 24, 25, and 27-36 under 35 
U.S.C. § 103(a) as being unpatentable over Botros and Wetherall is 
affirmed. 

No time period for taking any subsequent action in connection with 
this appeal may be extended under 37 C.F.R. § 1.136(a). 

AFFIRMED 
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